UID in subj args - bug?

Robert Moskowitz rgm at htt-consult.com
Thu Jul 6 17:33:49 UTC 2023


I havpolicy            = policy_loose
copy_extensions   = copy

[ policy_loose ]
# Allow the intermediate CA to sign a more
#   diverse range of certificates.
# See the POLICY FORMAT section of the `ca` man page.
countryName             = optional
stateOrProvinceName     = optional
localityName            = optional
organizationName        = optional
organizationalUnitName  = optional
commonName              = optional
UID                  = optional
serialnumber            = optional

And the CSR has the UID, but the proposed cert drops it.

On 7/6/23 13:27, noreply via openssl-users wrote:
>
> Hi Robert,
>
> Have you tried the commands in this solution: https://stackoverflow.com/a/70397430 ?
> It seems to be addressing the missing UID issue in certificate.
>
>
> Sent with Proton Mail secure email.
>
> ------- Original Message -------
> On Thursday, July 6th, 2023 at 10:24, Robert Moskowitz <rgm at htt-consult.com> wrote:
>
>
>> I have:
>>
>> policy = policy_loose
>> copy_extensions = copy
>>
>> [ policy_loose ]
>> # Allow the intermediate CA to sign a more
>> # diverse range of certificates.
>> # See the POLICY FORMAT section of the `ca` man page.
>> countryName = optional
>> stateOrProvinceName = optional
>> localityName = optional
>> organizationName = optional
>> organizationalUnitName = optional
>> commonName = optional
>>
>>
>> I added:
>>
>> userid = optional
>> serialnumber = optional
>>
>> And the oepnssl ca command still did not recognize UID. I then tried
>>
>> UID = optional
>>
>> and still did not work.
>>
>>
>> On 7/6/23 11:51, Viktor Dukhovni wrote:
>>
>>> On Thu, Jul 06, 2023 at 11:45:57AM -0400, Robert Moskowitz wrote:
>>>
>>>> I think there is a bug....
>>>>
>>>> I can provide the CSR and cert both in pem.
>>>> More likely your CA config file does not specify what do with UID RDNs
>>>> when signing CSRs. The default config file has:
>>> # A few difference way of specifying how similar the request should look
>>> # For type CA, the listed attributes must be the same, and the optional
>>> # and supplied fields are just that :-)
>>> policy = policy_match
>>>
>>> # For the CA policy
>>> [ policy_match ]
>>> countryName = match
>>> stateOrProvinceName = match
>>> organizationName = match
>>> organizationalUnitName = optional
>>> commonName = supplied
>>> emailAddress = optional
>>>
>>> # For the 'anything' policy # At this point in time, you must list all acceptable 'object'
>>> # types.
>>> [ policy_anything ]
>>> countryName = optional
>>> stateOrProvinceName = optional
>>> localityName = optional
>>> organizationName = optional
>>> organizationalUnitName = optional
>>> commonName = supplied
>>> emailAddress = optional
>>>
>>> No mention of UIDs there.



More information about the openssl-users mailing list